Steps

Enabling Mutual TLS with Aspen Mesh

Deploy Aspen Mesh

The first step is to login to the Aspen Mesh dashboard at https://my.aspenmesh.io/. We have already created a temporary account for you. The credentials will be visible in your terminal window.

Task: Deploy Aspen Mesh

To connect Aspen Mesh to the Kubernetes cluster provided, you need to run an installation script. We have downloaded it for you already. You can start it with /opt/install.sh

The script will prompt you for your allocated email address and your chosen password. It will also ask you where to deploy the assets. For now, accept the defaults. The Aspen Mesh installation script will then deploy the required components.

After the script has finished, Istio and the Aspen Mesh Agent will be deployed to the cluster.

View the pods with:

kubectl get pods -n istio-system

Step 1 - Mutual TLS Aims

Mutual TLS is a feature of Aspen Mesh with many benefits. It allows pods to authenticate with each other for better policy enforcement, protects pod-to-pod communication from malicious monitoring or manipulation, and can be used to enforce segmentation.

However, there are a few restrictions put on a workload when mTLS is enabled. If a workload is affected, these must be worked around,or mTLS must be disabled on the workload which will be explained in the following steps.

Step 2 - Deploying mTLS

Aspen Mesh deployments have Mutual TLS (mTLS) enabled by default! This means all the traffic between services within the cluster is encrypted and secure based on TLS.

Istio automatically installs necessary keys and certificates for mutual TLS authentication in all sidecar containers. Once the Pod is running, run command below to confirm key and certificate files exist under /etc/certs:

If the target ports are omitted, then this policy will disable mTLS on all ports for the service.

Step 4 - Remove TLS from Consumer Calls

The previous step disabled mTLS configuration for the service. However, consumers of the service within the cluster will still be expecting TLS to be required. As a result, if you send a HTTPS response then it will fail.

Help

Katacoda offerings an Interactive Learning Environment for Developers. This course uses a command line and a pre-configured sandboxed environment for you to use. Below are useful commands when working with the environment.

cd <directory>

Change directory

ls

List directory

echo 'contents' > <file>

Write contents to a file

cat <file>

Output contents of file

Vim

In the case of certain exercises you will be required to edit files or text. The best approach is with Vim. Vim has two different modes, one for entering commands (Command Mode) and the other for entering text (Insert Mode). You need to switch between these two modes based on what you want to do. The basic commands are: